# ==============================================================================
# VIDEO OPTIMIZER - BACKEND SECURITY CONFIGURATION
# ==============================================================================
# Location: /opt/video-optimizer-back/backend/.htaccess
# Purpose: Deny all direct web access to backend files
# Note: Backend should ONLY be accessed via Apache proxy (localhost:5000)
# ==============================================================================

# ------------------------------------------------------------------------------
# DENY ALL ACCESS
# ------------------------------------------------------------------------------

# This backend directory should NOT be directly accessible via web
# All API requests should go through Apache proxy: /video-optimizer/api -> localhost:5000

<RequireAll>
    Require all denied
</RequireAll>

# ------------------------------------------------------------------------------
# EXPLANATION
# ------------------------------------------------------------------------------
#
# The backend Python Flask application runs on localhost:5000 and should ONLY
# be accessible through the Apache reverse proxy configuration.
#
# Direct web access to this directory must be blocked to prevent:
# - Direct access to Python source code
# - Exposure of sensitive configuration files
# - Unauthorized API access bypassing the proxy
# - Security vulnerabilities from direct file access
#
# Correct API access path:
#   ✓ https://ai-sandbox.oliver.solutions/video-optimizer/api/health
#   ✗ Direct access to /opt/video-optimizer-back/backend/app.py
#
# ------------------------------------------------------------------------------

# ------------------------------------------------------------------------------
# ADDITIONAL PROTECTION
# ------------------------------------------------------------------------------

# Disable directory browsing
Options -Indexes

# Disable symbolic links
Options -FollowSymLinks

# Disable script execution
Options -ExecCGI

# Deny access to all file types
<FilesMatch ".*">
    Require all denied
</FilesMatch>

# Explicitly deny Python files
<FilesMatch "\.(py|pyc|pyo|pyd)$">
    Require all denied
</FilesMatch>

# Deny access to environment files
<FilesMatch "^\.env">
    Require all denied
</FilesMatch>

# Deny access to JSON configuration files
<FilesMatch "\.(json)$">
    Require all denied
</FilesMatch>

# Deny access to log files
<FilesMatch "\.(log)$">
    Require all denied
</FilesMatch>

# Deny access to requirements.txt
<FilesMatch "^requirements\.txt$">
    Require all denied
</FilesMatch>

# Deny access to .htaccess itself
<Files ".htaccess">
    Require all denied
</Files>

# Deny access to hidden files
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# ------------------------------------------------------------------------------
# SECURITY HEADERS (In case of misconfiguration)
# ------------------------------------------------------------------------------

<IfModule mod_headers.c>
    # If somehow accessed, prevent rendering in browser
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"

    # Prevent caching
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
    Header set Expires "0"
</IfModule>

# ==============================================================================
# IMPORTANT NOTES
# ==============================================================================
#
# 1. This directory (/opt/video-optimizer-back/backend/) is NOT in the web root
#    (/var/www/html/), so it should not be accessible via Apache anyway.
#
# 2. This .htaccess file is a defense-in-depth measure to prevent access
#    in case of Apache misconfiguration.
#
# 3. The backend Flask application is bound to 127.0.0.1:5000 (localhost only)
#    and cannot be accessed directly from the internet.
#
# 4. All API requests must go through the Apache proxy configuration:
#    <Location /video-optimizer/api>
#        ProxyPass http://127.0.0.1:5000/api
#        ProxyPassReverse http://127.0.0.1:5000/api
#    </Location>
#
# 5. If you need to access backend files for maintenance, use SSH:
#    ssh user@ai-sandbox.oliver.solutions
#    cd /opt/video-optimizer-back/backend/
#
# ==============================================================================
# END OF CONFIGURATION
# ==============================================================================
